Case 3: Tapping into an APPN network
A young employee was able to connect into his company’s APPN network. Then, he did something really easy – using trace (BUFFER or VIT) he found within the logon requests sent by the central VTAM his own cross domain as well as cross net resources. Then, he wrote a Java program that used the LUNAME of a sensitive IMS application. This program simply sent the welcome panel of that application, “Please Enter User ID and Password.” The employee had received the welcome panel by simply cutting and pasting from the original application.
When the end user entered his user ID and password, not knowing to whom this data was going, the false application stored the user ID and password into his laptop and terminated the session. The employee was able to collect many valid user ID and password combinations, which he could then use to logon to the sensitive IMS application. You can imagine the next step! What if he was able to access the payroll application or the application that tells the location of the test wells being drilled for an oil and gas company?
Case 4: Hacking Into SNA Using a Dial-in Function
One company has offered dial-in access to its employees for many years. Unfortunately, an unscrupulous employee used this dial-in access to hack into the company network. The company discovered this young man’s activities only because after the regular restart of the productive system one weekend, the system could not receive any logons from the network! After several hours of intensive analysis, the staff finally determined that there was a hacker rerouting logons! The result was an unnecessarily long system downtime.
Can you imagine what other ways there are to damage a company or organization? Sometimes the security implemented is the weakest element in the chain!
What Can You Do?
The most important thing is to implement LU-LU and CP-CP verification. This will verify for all SNA connections that the LU-LU or CP-CP session is taking place between the appropriate partners. Once implemented, you must check that all sessions are using the verification feature. However, it is impossible to check this without an automated control. We recommend that you use an automated system, which alerts you and logs any security problems.
Make sure that you have removed all unused definitions from your VTAMLst and other related data sets. This will prevent hackers from using old CPNames or definitions to simulate systems on your network.
Enterprise Extender is a new technology from IBM that is used to integrate SNA applications into TCP/IP networks. It is a set of extensions to the existing APPN High Performance Routing (HPR) protocol. The HPR frames are sent using User Datagram Protocol (UDP) packets. To the HPR network, the IP backbone is a logical link; to the IP network, the SNA traffic is UDP datagrams that are routed without hardware or software changes to the IP backbone.
Unfortunately, the wide adoption of IBM’s Enterprise Extender Technology increases the problem of hackers accessing your system because now your data center may be connected to another data center many miles away or many countries away. Now, you have opened your company to hackers from the other end of the Enterprise Extender. You may have adequate physical security at your end of the connection, but what about at the other end?
Hackers are getting smarter and more aggressive. Many IT experts don’t know that 99 percent of all attacks are a result of already known weak points or wrong configurations. To come directly to the point, that means that 99 percent of all attacks are essentially avoidable. Z